We just had an internal vulnerability scan done. The company used a Qualys appliance and the report showed three entries on my Zimbra server.

"SSL Server Allows Anonymous Authentication Vulnerability"

It is listing ports 25, 465, 587 as the offending services.

I have an Ubuntu 8.04 server out-of-the-box installation running a similarly basic Zimbra installation. I know those ports are SMTP related but not sure how to resolve the errors if they can even be resolved. I don't really use the mail side of Zimbra that much. We mostly wanted the caledar feature. But on occasion I scan something with our network copier and email it to my zimbra account. So that feature is nice.

I am by no means a Linux guru so newbie style instructions would be nice.

Please note that some vendors may allow the initial SSL connection with an anonymous cipher, but disallow the connection once the underlying service is exercised.

I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake. Port 25 shouldn't require any authentication since it's used to receive mail from foreign servers and to relay mail from trusted networks. Ports 465 and 587 are used to relay mail but only after authentication within SMTP.

12-07-2010, 01:59 PM

eldon96

Quote:

Originally Posted by ewilen

I'm pretty sure that what's going on is that all three ports are working as intended by allowing an SSL connection to be initiated anonymously and then doing an SMTP handshake.

I agree though I was hoping to find a way to resolve the issue. Howerver, if there isn't any more specific information I guess I'll document that Qualys info you posted and report to the board that they are false positives.

Thank you,
Mike

12-07-2010, 02:50 PM

ewilen

Again, I'm pretty sure that everything is working the way it's intended, and that this is secure. That said, gmail doesn't show the "vulnerability" on port 587 connections: